Everything you need to know about U.S. email encryption laws

Early this month, PayPal halted the flow of over $275,000 in public donations to the encrypted webmail service ProtonMail. Its reason: Certain encryption services might not be legal under U.S. law. Crazy, right? Actually, it's not as ridiculous as you might think.

Based in Switzerland, a country with a long history of respecting privacy rights, ProtonMail is an Web-based email service started by a handful of researchers who met at the European Organization for Nuclear Research (CERN)—the same place that employed Tim Berners-Lee when he created the World Wide Web. The idea behind ProtonMail, conceived in the wake of the Edward Snowden revelations, was to create a secure email service that is as resistant to government snooping as it is easy to use.

At least on the latter goal, the ProtonMail team succeeded. (Its security is still in the tweaking phase.) The service is almost as easy to use as Gmail, and immediately proved so popular that there’s a long waiting list for users interested in obtaining a free account.

PayPal, on the other hand, has long history of cutting people off from their hard-earned money. In 2010, the company froze $750,000 in payments to the creator of the beloved indie game Minecraft. Five years prior, it halted $30,000 in donations raised by the the blog Something Awful for Hurricane Katrina relief—eventually returning the Something Awful donations to their original sources.

While those other examples of PayPal’s interference into the businesses of its customers were related to what the company deemed to be ‟suspicious activity,” the reasoning behind halting ProtonMail’s money was a little different.

According to ProtonMail co-founder Andy Yen, PayPal froze the money out of concerns that, by offering an encrypted email service, ProtonMail might be breaking U.S. law.

As Yen explained it at the time:

‟The PayPal rep that we spoke to ... basically said that in some jurisdictions, fully encrypting emails may be against government regulations and wanted to know if we had received government approval for this service. ...We asked which exact governments and jurisdictions they were concerned about and we were told they were concerned about issues potentially coming from the U.S. government.”

ProtonMail’s management wrote a blog post about the freeze, the media quickly picked up on it, and everyone involved piled a metric ton of hate on PayPal. The online payments service relented, blaming everything on a ‟technical problem,” and quickly re-allowed ProtonMail access its funds. Unsurprisingly, all the attention was good for business and ProtonMail’s campaign saw a marked increase in donations—notably with a surge in Bitcoin donations, which aren’t controlled by heavy-handed third-party companies.

Much of ire directed at PayPal came from people insisting that there’s nothing illegal about encrypting someone’s email. While that’s undoubtedly true, the issue isn’t nearly as starightforward as it may seem.

Laws about what obligations an email service has to have the ability to turn information over to the government when it demands it aren’t necessarily 100 percent settled and the freedoms Americans have to protect digital communications from eavesdropping in the first place only arose after years of legal and legislative wrangling.

It’s easy to see why U.S. law enforcement might be profoundly uncomfortable with the concept of systems that effectively make it impossible for them to gather certain digital information about suspects regardless of what legal authority they possess. Although, with the promulgation of services like ProtonMail aiming to make encryption far more straightforward, that those roadblocks are moving out of the realm of the theoretical. According to a recent report in Wired, encryption foiled the efforts of law enforcement officials nine times last year, more than double of the year before. Prior to 2012, that sort of thing had never actually happened.

‟It’s a common misconception that it’s somehow illegal to make privacy technology that the government wouldn’t be able to break,” says Seth Schoen, senior staff technologist at the Electronic Frontier Foundation (EFF). ‟There’s never been a regulation in the U.S. limiting the private use of cryptography by end users; there’s no law that says you can’t use the crypto of your choice.”

That does not, however, mean the U.S. government hasn’t spent much of the past half-century alternately attempting to undermine those very same cryptographic systems, nor does it mean there aren’t necessarily ways in which government can force companies to comply with its information requests—even when those companies would rather not participate.

• • •

Public use of cryptography wasn’t really an issue until the 1970s. Before that, crypto technology was largely the province of militaries and government spy agencies. In the 70s, academics around the world started doing an increased amount of cryptographic research, the results of which were then public. Stories abounded of government officials contacting cryptographic researchers and warning them about the dangers of strong, publicly accessible cryptography.

A handful of countries, like China and France, placed restrictions on what sort of cryptography can be used by its citizens without first obtaining a specific government license; however, the U.S. government never imposed direct prohibitions. First Amendment protections against ‟abridging the freedom of speech” makes such laws a tough sell. But the U.S. did impose controls on what type of cryptographic programs could be exported to users overseas by listing cryptography as an ‟auxiliary military technology.”

These controls made it illegal for U.S. companies to export strong crypto technology—stuff that couldn’t be broken on a modern laptop running a decryption program for a few days. As a result, many companies began posting two versions of downloadable software online—a strong version for the U.S. market, and one for International audiences that was much weaker, or didn’t even use encryption at all.

With the growth of the Internet in the early 1990s, the no-export controls became increasingly ineffective. Simply posting a piece of software online technically counted as an export because people in other countries were able to download it—and they were able to download it.

The result was a conflict Schoen called the ‟crypto wars,” with civil libertarians and technologists on one side, arguing for the relaxation of export controls and law enforcement; and intelligence officials on the other, fighting to keep them in place, if not tighten them. In the end, the former camp won out and the controls were eased significantly, although some remain in a considerably limited form.

During the ‟crypto wars,” most of the arguments were over programs that someone could download on their computers, not Web-based services like ProtonMail that are located on a server somewhere. Because of this distinction, the issue remains vague.

While PayPal representatives did not respond to a request for comment, there’s good reason to believe the Communications Assistance for Law Enforcement Act (CALEA ) was at the root of the company’s ProtonMail blockage.

Prior to the passage of CALEA in 1995, phone companies had to comply with government orders for wiretaps on specific phone lines, but they weren’t required to have the technology on hand that allowed them to actually install wiretaps. In other words, telecoms could get in trouble for willfully flouting a wiretap order, but not for being technically unable able to install one in the first place. After CALEA, phone companies were forced to buy special boxes they could hook up if the government wanted to install a wiretap.

At the time of CALEA’s passage, a similar coalition of technologists and civil liberties groups that fought the “crypto wars” worked with legislators to ensure CALEA didn’t apply to the Internet. Internet service providers (ISPs) and online services, like webmail or instant messaging, still had to comply with law enforcement when they received an order for information. They just weren’t necessarily required to insert backdoors into all of their products.

This understanding of CAELA held for about a decade, until a coalition of law enforcement agencies successfully petitioned the Federal Communications Commission (FCC) to reinterpret the law so it would apply to ISPs—requiring them to have wiretapping boxes on hand just like phone companies, something Schoen said ‟felt like an enormous betrayal of the law’s original intent.”

It still doesn’t apply to online services like ProtonMail, but there’s been a consistent, concerted push by by government officials to make the law do just that.

In 2010, the Obama Administration floated a bill that would have required all online communication services, from Skype to Facebook, to install backdoors that let government officials see traffic coming over their networks unencrypted. The proposed law never made it through Congress; although, the following year, the FBI’s general counsel gave a speech before the House Judiciary Committee that was widely interpreted as calling for the universal installation of backdoors into all online products.

Companies like ProtonMail don’t have an obligation to create technologies that easily enable enable government surveillance, but that doesn’t mean they couldn’t be compelled to modify their existing technologies to add wiretapping capabilities after the fact.

• • •

In 2003, an unnamed company that makes a device installed in cars that allows drivers to locate the vehicles if they’re stolen and make certain kinds of emergency phone calls challenged a court order to convert one of its devices into a surveillance system to gather information on a specific target of a government investigation. The court seemed to largely accept the government’s argument that it had the authority to compel the company to modify its technology, but ultimately ruled in the company’s favor because altering the device presented a serious safety issue. The modification would have prevented the suspect from using the system to make calls to emergency services, which was the product’s primary function.

Still, the court largely held that the government could force companies to modify their systems to allow for surveillance. Not to mention that federal law gives the government broad authority to collect information on foreign nationals—hence the National Security Agency’s controversial PRISM program.

There’s some evidence that this does occur, although finding anything definitive is tricky due to government mandates about disclosure. In a statement to the Guardian, made in response to a question about NSA eavesdropping on its Skype online voice and chat service, a representative from Microsoft said:

"When we upgrade or update products legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request. There are aspects of this debate that we wish we were able to discuss more freely. That's why we've argued for additional transparency that would help everyone understand and debate these important issues."

But what happens with a service like ProtonMail that’s explicitly designed to make that sort of data collection impossible?

‟In this case, there’s just a lot that we don’t know,” Schoen said. ‟There is language in the wiretap law that refers to an ‛obligation to provide assistance.’ And in a way that language is very broad. One could make an argument that ‛assistance’ could include changing the code, deceiving the user, redesigning the service, all sorts of things.”

The harsh reality is that, even if the law is ambiguous, nearly all companies comply with government requests for user data. And very few companies have designed their services to protect users against the company itself—that feature only started to draw significant public demand in the year since we learned of the NSA’s surveillance capabilities.

One of the most high-profile instances in which a court has seriously considered something approaching this question is when Federal Bureau of Investigation (FBI) officials went after the secure email service Lavabit in an apparent attempt to gain information about its most famous user—Edward Snowden.

Shortly after information from Snowden’s leaks were published by the Guardian, government agents obtained a court order that allowed them to collect the metadata from a certain, unnamed account (such as who the account sent emails to, the date and time those emails were sent, etc.), as well as obtain the private keys that would allow the officials to decrypt all the information on the service. Lavabit founder Ladar Levison objected and fought the order in court.

Levinson lost, but only on a technicality. The court didn’t rule that Lavabit was necessarily compelled to hand over information about a user of a service explicitly designed to be secure from that very type of intrusion. Instead, Levinson went down because he failed to correctly file a legal procedure early on in the case, when he was still forced to represent himself because he couldn’t find a lawyer in his price range and geographic proximity that specialized in both First Amendment law and advanced cryptography.

Levinson took out his frustration by printing the key, which consisted of a random string of letters and number, in eleven pages of unreadable four-point font.

Even though Levinson was forced to give the government access to the site (and ended up shutting the whole thing down as a result) the court didn’t give a lot of guidance on the responsibilities encrypted webmail operators have when it comes to handing over government documents—other than making sure they hire a good lawyer from the outset.

However, as the law currently stands, people aren’t required to build online services that are accessible by a government request; but, if your service is in any way penetrable, the operators of those services can be compelled to turn over what information the government could theoretically access.

At the end of the day, PayPal may have been wrong in thinking that ProtonMail was raising funds for an illegal service. Temporarily blocking people’s donations to the service without a ironclad reason to do so is the type of behavior that’s earned PayPal its reputation as being one of the most hated companies on the Internet.

Still, PayPal wasn’t entirely out of line in being a little uncomfortable with the idea of a service that makes it considerably more difficult for the U.S. government to eavesdrop on the communications of whomever it wants. The government doesn’t seem entirely comfortable with it either.